Closed golanorbi closed 2 years ago
This is about a vulnerability in jQuery UI, which isn't included in Drupal 6 core. However, there was a security release made for the jquery_ui module:
It is possible that these vulnerabilities are exploitable via contributed Drupal modules or custom code. As a precaution, this Drupal security release applies the fix for the above cross-site scripting issues, without making other changes to the jQuery UI version that is included in Drupal.
It says that the fix was made in Drupal Core, and not in jQuery UI module. jQuery UI module stayed untouched regarding this vulnerability. So, is there a plan to issue a Drupal 6.60 to fix this?
Is there a Drupal 6.60 release that fixes the following XSS vulnerabilities?
An XSS vulnerability has been found in Drupal Core that is related to the jQuery UI contrib module:
Furthermore, other vulnerabilities listed below were previously unaddressed in the version of jQuery UI included in Drupal 7 or in the jQuery Update [7] module:
Important note regarding the jQuery Update contrib module
These backport fixes in D7 have also been tested with the version of jQuery UI provided by the most recent releases of the jQuery Update module (jQuery UI 1.10.2) and the fixes confirmed. Therefore, there is no accompanying security release for jQuery Update.
However, in early 2022 the currently supported release of jQuery Update (7.x-2.7 from 2015) will be deprecated and replaced by a new release from the 7.x-4.x branch. The stable release from that branch will then be the only release considered by Drupal Security Team when new jQuery security issues arise.
Please check the jQuery Update project page [11] for more details, and for announcements when the changes are made to supported releases.
For more details:
https://www.drupal.org/sa-core-2022-002
The suggested solution:
Install the latest version: